Jouni Malinen [Sat, 1 Mar 2025 10:07:45 +0000 (12:07 +0200)]
SAE: Do not mark SAE enabled network disabled if PSK is not set
SAE does not PSK, i.e., it is sufficient for the passphrase to be set in
cases where the psk parameter instead of the SAE specific sae_password
is used.
Jouni Malinen [Sat, 1 Mar 2025 10:05:48 +0000 (12:05 +0200)]
OpenSSL: More debug prints on EVP digest/cipher failures
The EVP operations may fail if OpenSSL is configured to reject
deprecated algorithms or parameters (e.g., key sizes). Make such errors
easier to understand in debug log.
Jouni Malinen [Sat, 1 Mar 2025 10:04:10 +0000 (12:04 +0200)]
RADIUS: Check MD5 processing result
The MD5 functions may fail, e.g., if the used crypto library is
configured to reject deprecated old algorithms. Check for this more
consistently in RADIUS routines and make it obvious in the debug log if
this is causing operations to fail instead of trying to proceed and hide
the issue.
Add new roam trigger vendor attribute values to configure the roaming
parameters dynamically. QCA_ROAM_TRIGGER_REASON_WTC, trigger roam on
wireless-to-cellular BSS transition request.
QCA_ROAM_TRIGGER_REASON_BT_ACTIVITY, trigger roam on Bluetooth
connection, when station is on the 2.4 GHz band.
Jouni Malinen [Thu, 27 Feb 2025 09:06:40 +0000 (11:06 +0200)]
Share wpa_init() error path handling
Use a single place to handle cleanup after failures instead of multiple
copies of this code. Also share the wpa_auth->group deinit routine with
wpa_deinit() even though there cannot be multiple groups or initialized
keys in the wpa_init() case.
Chenming Huang [Wed, 26 Feb 2025 14:32:27 +0000 (20:02 +0530)]
AP MLD: Search MLD-level and per-link PMKSA caches
There are cases where non-AP MLD first associates with MLO but
reassociates with non-MLO using PMKSA caching. Since the standard does
not explicity disallow such cases, it makes sense to have additional
code to check the MLD level PMKSA cache as well even when processing
non-ML associations. Same would apply in the other direction, i.e., ML
association with PMKSA caching should search all affiliated APs of the
AP MLD for a PMKID match.
Check both the MLD-level and per-link PMKSA caches when trying to find a
match for an PMKID in (Re)Association Request frame.
Chenming Huang [Wed, 26 Feb 2025 14:32:26 +0000 (20:02 +0530)]
AP MLD: Store PMKSA from DPP to both per-link and MLD-level cache
When we cannot determine whether the peer is non-AP MLD (which is the
case with DPP AKM), store the PMKSA into both the MLD-level and per-link
caches when operating as an AP MLD.
Chenming Huang [Wed, 26 Feb 2025 14:32:24 +0000 (20:02 +0530)]
AP MLD: Mark STA as MLD before checking association IEs
In __check_assoc_ies(), ap_sta_is_mld() is already being used to
determine whether a peer is an MLD or not. However, when calling
__check_assoc_ies() from ieee80211_ml_process_link(),
ap_sta_set_mld() is not yet called. So inside __check_assoc_ies()
the sta entry is treated as non-MLD, which leads to wrongly
fetching PMKSA entry from regular pmksa entry list instead of
ml_pmksa. That results in a connection failure.
Move ap_sta_set_mld() to be used earlier since we already know it is an
MLD peer at that point.
Chenming Huang [Wed, 26 Feb 2025 14:32:20 +0000 (20:02 +0530)]
AP MLD: Define a new MLD-level PMKSA cache shared by all links
Currently PMKSA is only cached on the association link. Subsequent
connections may happen on other links if peer is a non-AP MLD.
Association using SAE might get rejected due to PMKID not found in such
cases.
Define a new PMKSA entry list in struct wpa_authenticator which will be
used in subsequent commits. Initialize ml_pmksa only on the primary link
authenticator and deinitialize it when the last link authenticator is
deinitialized. Other affiliated links share the same instance.
Jouni Malinen [Wed, 26 Feb 2025 10:02:37 +0000 (12:02 +0200)]
Fix current_bss use in checking whether SSID has been verified
The call to wpa_supplicant_update_scan_resuls() might change
wpa_s->current_bss, so need to fetch the ssid/ssid_len again after that
all to avoid potential use of freed memory.
Fixes: 5452a4a30204 ("SSID verification based on beacon protection") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Tue, 25 Feb 2025 21:44:47 +0000 (23:44 +0200)]
ERP: Initialize hapd->erp_keys earlier to avoid undefined behavior
This dl_list needs to be initialized earlier since
ieee802_1x_erp_flush() is trying to clear it even in case of failed
interface start that might not have made it all the way to the place
which the dl_list was previously initialized.
Jouni Malinen [Tue, 25 Feb 2025 21:19:30 +0000 (23:19 +0200)]
Avoid undefined behavior in get_vendor_ie()
This might be called with ies == NULL and for_each_element_id() would
try to calculate NULL + 0 in that case. That would be undefined
behavior. Avoid that by checking for ies == NULL just like the other
get_ie*() functions already did.
Jouni Malinen [Tue, 25 Feb 2025 21:01:40 +0000 (23:01 +0200)]
Remove undefined behavior from ieee802_11_defrag()
ieee802_11_defrag() might be called with data == NULL and that would
result in trying to calculate end = data + len = NULL + 0 which is
undefined behavior. Calculate the end pointer only after data has been
checked to not be NULL to avoid this.
Fixes: ec03b71ee999 ("common: Refactor element defragmentation") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Tue, 25 Feb 2025 20:57:40 +0000 (22:57 +0200)]
Fix wpa_supplicant global config bool reading/writing
The generic int parser cannot be used with bool variables since it is
possible for the bool variables to be shorter in size and result in
misaligned read/write. Use a separate set of routines for handling bool
variables to avoid this.
Jouni Malinen [Tue, 25 Feb 2025 20:36:54 +0000 (22:36 +0200)]
mesh: Fix mesh_external_pmksa_cache initialization to cover error cases
The dl_list needs to be initialized before wpa_supplicant_cleanup() can
be called, e.g., due to an early termination caused by failure to
initialize the interface.
Jouni Malinen [Tue, 25 Feb 2025 09:42:02 +0000 (11:42 +0200)]
FT: Do not discard EAPOL-Start frame during initial MD association
Commit c97168f58ae9 ("FT: Discard EAPOL-Start frames when FT was used
for association") started discard EAPOL-Start frames in all cases where
FT is used, including the initial MD association. The exact IEEE 802.11
standard language requiring the STA to perform a new FT initial MD
association when its Supplicant triggers sending of an EAPOL-Start frame
has a condition on this being "after a successful initial mobility
domain association domain", so this would not really apply during the
initial MD association itself.
Relax the conditions on processing EAPOL-Start frames so that they are
still processed during the FT initial mobility domain association, but
are then discarded after that succeeds (i.e., during rest of that
association and any future association started using FT protocol).
- For SUITEB128 the 128-bit strength ciphersuites should appears first
in the list
- Update RSA key strengths
- Update ECC key strengths
- Update tests to pass with wolfSSL. wolfSSL fails as soon as the key is
being loaded if it doesn't match the minimum key strength requirements.
nl80211: Mark HT disabled on channel switch to a 6 GHz channel
During channel switch processing ht_enabled was left enabled for 6 GHz
channels since those cases do not use NL80211_CHAN_NO_HT. This would
show incorrect channel information in the STATUS control interface
command.
Fix this by clearing ht_enabled when a channel switch event is
indicating a switch to a 6 GHz channel.
nl80211: Fix hostapd crash when managing AP MLD interfaces
hostapd crash has been observed in the following scenario: bring up
multiple AP MLD interfaces, delete all AP MLD interfaces using another
user space application like 'iw', and then remove all interfaces in
hostapd.
When deleting an AP MLD interface using another user space application,
the kernel sends the NL80211_CMD_STOP_AP event for each link to hostapd,
hostapd resets valid_links, and sends a remove link command to the
kernel. valid_links will become zero after all the links are removed,
but bss interface will not be removed in hostapd.
In the current design, when removing the link bss interface, the
interface is not removed if the link is not available. When the
interface, which was not removed, is added, it accesses a dangling
pointer of the AP MLD interface and causes the crash.
Fix this by removing the interface even if there are no more links. This
ensures that the AP MLD interface is properly removed, preventing access
to a dangling pointer and avoiding the crash.
With Wireshark 4.4.0 and above, there are slight changes in the filters for
fetching multi-link control elements and STA profile ID lists. Add support
for these updates to ensure the test cases are compatible with the latest
version of Wireshark.
The changes are:
* Multi-Link Control:
wlan.eht.multi_link.control instead of wlan.eht.multi_link_control
* STA Profiles LinkIds: It is now Character string.
Jouni Malinen [Sun, 23 Feb 2025 15:00:09 +0000 (17:00 +0200)]
EAP-TEAP: Check session_id length explicitly to avoid warnings
Some static analyzers might expect tls_get_tls_unique() to be able to
return arbitrarily large values and warn about integer overflow here.
Avoid such incorrect warnings with an explicit check.
Jouni Malinen [Sun, 23 Feb 2025 14:38:11 +0000 (16:38 +0200)]
RNR: Silence static analyzer warnings
The !tbtt_count check seemed to be too complex for static analyzers to
understand that len and total_len have been incremented by at least
RNR_TBTT_HEADER_LEN. Silence the incorrect warning about interget
overflow with explicit checks.
Jouni Malinen [Sun, 23 Feb 2025 14:27:03 +0000 (16:27 +0200)]
nl80211: Debug print setsockopt() failures for NETLINK_EXT_ACK
Even though we explicitly ignore these errors, it is better to print
them into the debug log if for no other reason than to get rid of some
static analyzer warnings about unchecked reutrn values.
Jouni Malinen [Sun, 23 Feb 2025 14:21:45 +0000 (16:21 +0200)]
MLD: Try to avoid static analyzer warnings about tainted variable
*pos was already checked above, but some static analyzers might not
understand that construction when the 8-bit value from the buffer is
assigned after the checks, so check again explicitly to get rid of
incorrect error reports.
Jouni Malinen [Sun, 23 Feb 2025 14:14:50 +0000 (16:14 +0200)]
Use pointer to Action frame body instead of Category field
This will hopefully silence some incorrect static analyzer warnings
about out-of-bounds reads since mgmt->u.action.category is an u8 while
this is really getting a pointer to that location in the Action frame
body and not just the 8-bit Category field.
Jouni Malinen [Sun, 23 Feb 2025 10:44:50 +0000 (12:44 +0200)]
P2P2: Check ssid != NULL more consistently in wpas_p2p_invite()
The recently added !ssid check here could make static analyzers complain
about dereferencing ssid in the function, so instead of covering just
the special P2P2 case, check explicitly for ssid == NULL for all cases.
Jouni Malinen [Sun, 23 Feb 2025 10:41:16 +0000 (12:41 +0200)]
mka: Simplify dl_list entry freeing
There is no need to call both dl_list_empty() and dl_list_entry()
separately in this manner since dl_list_first() is for that exact
purpose. Simplify this and also make it easier for static analyzers.
Jouni Malinen [Sun, 23 Feb 2025 10:03:40 +0000 (12:03 +0200)]
Make eht_cap != NULL check explicit to help static analyzers
data->eht_enabled was used to avoid getting here with eht_cap == NULL,
but that was too complex for some static analyzers. Make this more
explicit to avoid false reports.
Jouni Malinen [Sun, 23 Feb 2025 09:59:47 +0000 (11:59 +0200)]
PASN: Make ssid != NULL check easier for static analyzers
wpas_pasn_sae_setup_pt() would dereference ssid so it cannot be NULL in
the call. That was already taken care of by removing WPA_KEY_MGMT_*SAE*
in the ssid == NULL case. Anyway, adding an explicit check for !ssid
here gets rid of incorrect static analyzer reports.
Jouni Malinen [Sun, 23 Feb 2025 09:56:16 +0000 (11:56 +0200)]
P2P: Initialize new_ssid explicitly to make this easier for analyzers
new_ssid_len == 0 was used to skip reference to new_ssid in
p2p_build_invitation_resp(). This was too complex for some static
analyzers to notice, so initialize new_ssid as well to avoid false
reports.
Jouni Malinen [Sun, 23 Feb 2025 09:53:36 +0000 (11:53 +0200)]
P2P: Make sure go_dev_addr is initialized
wpas_p2p_persistent_group() does not set go_dev_addr if the group is no
persistent. Initialize go_dev_addr explicitly to all zeroes before that
call to make sure it cannot be uninitialized here.
Jouni Malinen [Sun, 23 Feb 2025 09:36:03 +0000 (11:36 +0200)]
Check network configuration availability before use in MAC randomization
wpas_update_random_addr_disassoc() could call wpas_update_random_addr()
with ssid == NULL, so need to be more careful here when comparing the
pregenerated address.
Fixes: bdbb6e0035ae ("wpa_supplicant: Handle MAC address randomization changes for same ESS") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 22 Feb 2025 19:15:41 +0000 (21:15 +0200)]
OSEN: Remove all OSEN functionality
Passpoint spec v3.4 removed all OSU functionality, including OSEN. In
practice, this means that there is not going to any deployment or use of
the OSEN functionality in the future and as such, there is no need to
maintain this implementation.
Passpoint spec v3.4 removed all OSU functionality. In practice, this
means that there is not going to any deployment or use of the OSU
technology in the future and as such, there is no need to maintain this
OSU client implementation.
Jouni Malinen [Sat, 22 Feb 2025 18:12:35 +0000 (20:12 +0200)]
HS 2.0 server: Remove example OSU SPP server
Passpoint spec v3.4 removed all OSU functionality. In practice, this
means that there is not going to any deployment or use of the OSU
technology in the future and as such, there is no need to maintain this
example OSU server implementation.
Jouni Malinen [Sat, 22 Feb 2025 18:02:38 +0000 (20:02 +0200)]
Interworking: Prefer cred realm over realm in username for anonymous NAI
Commit 61b2ed701291 ("Interworking: Use anonymous NAI in EAP-TTLS Phase
1") introduced a mechanism for generating an anonymous NAI specifically
for EAP-TTLS Phase 1. However, it was implemented before Passpoint R2
rules were defined for this and the implementation was not updated to
match the rules. The implementation uses the realm from the
cred::username, if present, over the separate cred::realm parameter.
However, the current Passpoint spec mandates realm from
PPS/<X+>/Credential/Realm (i.e., cred::realm in wpa_supplicant
configuration) to be used for this.
Reorder the priorities for the first two options for constructing the
anonymous identity when generating a network profile from a credential,
i.e., use cred::realm, if set, regardless of whether cred::username
contains a realm. cred::username is used as-is in Phase 2 which means
the inner and outer identities can now be configured to use different
realms.
Jouni Malinen [Sat, 22 Feb 2025 17:01:16 +0000 (19:01 +0200)]
SAE: Multiple default password iteration
SAE was designed to protect against offline dictionary attacks and that
prevents clean implementation of the multiple-password design similarly
to what has been done with WPA2-Personal. SAE has a concept of multiple
passwords with an explicit password identifier to identify which
password a STA is using. However, that has unfortunately not been
deployed in STAs so far which makes it inconvenient to use multiple
passwords in a WPA3-Personal network since configuring passwords
separately for each STA MAC address is both inconvenient and unrealistic
if MAC address randomization is used.
Allow hostapd to be configured to iterate over a small number of default
SAE passwords (i.e., passwords that do not use a password identifier and
that are allowed for any STA MAC address). This allows more than a
single SAE password to be used in a network. However, this comes with
risk of STAs delaying connection attempts since they might consider this
type of behavior to be an active attack (which it strictly speaking is).
In any case, this seems to be the only realistic method for SAE
deployment with multiple passwords today and it seems to work with up to
five SAE passwords at least with STAs that use wpa_supplicant.
When enabled, hostapd will try to use default SAE passwords one by one
until success. Successful authentication locks the selected password
into use. Failed attempt tracks the STA's MAC address with the password
and causes other passwords to be attempted on next tries. This works
relatively well as long as the STA is willing to attempt SAE multiple
times when the AP is rejecting attempts with Status Code 1 (unspecified
failure), i.e., a different Status Code compared to the normal password
mismatch case with 15 (challenge fail). Another possibility would have
been to silently discard failed Confirm messages to make this look more
like a lost frame than any explicitly indicated error case. However,
that would result in longer delay for retry attemots at least with
wpa_supplicant implementation.
This functionality can be enabled by setting the new configuration
parameter sae_track_password to a nonzero value. It should be set based
on how many active STAs are expected to be used the network. Larger
values use a bit more memory (12 bytes for each additional tracked STA
for each configuured default SAE password) and slightly increased
processing steps. The actual default passwords are set with
sae_password.
For example, this would allow three SAE passwords to be used:
Jouni Malinen [Sat, 22 Feb 2025 09:48:28 +0000 (11:48 +0200)]
tests: Avoid leaving dpp_connector_privacy_default=1 to next test case
sigma_dut_ap_dpp_self_config_connector_privacy could end up leaving the
default DPP connector privacy setting modified for the following test
case. That would make dpp_network_intro_version_missing_req fail. Fix
this by explicitly clearing the modified configuration parameter.
Jouni Malinen [Sat, 22 Feb 2025 09:45:29 +0000 (11:45 +0200)]
tests: Avoid failure in IBSS testing due to old scan results
ibss_open_fixed_bssid could leave behind old BSS entries that would
survive to the next test case. ibss_vht_80p80 would fail to establish
the IBSS on the expected channel in such cases. Explicitly flush the BSS
entries from kernel to avoid this.
Jouni Malinen [Sat, 22 Feb 2025 09:25:31 +0000 (11:25 +0200)]
nl80211: Fix PASN auth alg check on big-endian CPUs
auth_type is set to a value that is already converted to host byte order
and as such the following comparison must not convert the defined value
to little-endian byte order.
Fixes: 58a96187eed8 ("nl80211: Allow PASN Authentication frames with random (foreign) MAC address") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 22 Feb 2025 09:15:27 +0000 (11:15 +0200)]
MLD: Fix MLE parsing in for association on big-endian CPUs
The control variable is ANDed with ml_control in host byte order and as
such, the control variable should have been initialized without
conversion to little endian.
Fixes: 5af986c75af4 ("MLD: Also mark links as failed after association failure") Signed-off-by: Jouni Malinen <j@w1.fi>
Pooventhiran G [Wed, 12 Feb 2025 04:03:00 +0000 (09:33 +0530)]
AP MLD: Request MLO Group KDEs for a subset of links
While requesting GTK, IGTK, and BIGTK group KDEs, all link group key
data are fetched by default. Make the APIs flexible by requesting for a
subset of links which may as well be all links, and populate the keys as
KDE for only the requested links.
Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Jouni Malinen [Sat, 15 Feb 2025 10:19:15 +0000 (12:19 +0200)]
tests: Fix owe_invalid_assoc_resp with mac80211_hwsim STRICT validation
mac80211 has started rejecting the association attempt based on some
HT/WMM information missing for the (Re)Association Response frame when
in STRICT validation mode and that broke this test case with
mac80211_hwsim due to the Association Response frame being constructed
without HT and WMM information in the test script. Disable HT for now to
avoid this.
Johannes Berg [Mon, 3 Feb 2025 20:45:30 +0000 (21:45 +0100)]
nl80211: Remove support for use_monitor
Using nl80211 for management and EAPOL TX/RX has been available in the
kernel for over a decade, including TX status for data frames starting
from kernel 3.3. Remove support for (cooked) monitor TX/RX, leaving a
simple non-RX monitor for unencrypted TX testing.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Mon, 3 Feb 2025 20:45:28 +0000 (21:45 +0100)]
tests: ap_pmf: Stop using use_monitor=1
There's no need for this anymore, all the tests work without it. This
was originally used to be able to inject unprotected Deauthentication
and Disassociation frames in cases where PMF was in use, but commit 9bedf90047d6 ("nl80211: Use monitor interface for sending no-encrypt
test frames") allowed this to be done without having to for AP
operations to use the monitor interface for EAPOL frames with
use_monitor=1.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Chenming Huang [Fri, 14 Feb 2025 06:08:37 +0000 (11:38 +0530)]
AP MLD: Set WLAN_STA_ASSOC flag before copying STA entry (SME-in-driver)
In SME offloaded cases, it was found that WLAN_STA_ASSOC flag is
not set on all STA entries. This is because STA entries are
copied before WLAN_STA_ASSOC flag is set in the assocation link.
To fix that, set WLAN_STA_ASSOC flag properly before calling
hostapd_process_assoc_ml_info() where flags are copied to STA
entries in other links.
Chenming Huang [Thu, 23 Jan 2025 02:07:39 +0000 (07:37 +0530)]
DPP: Send connection status result if disconnected during 4-way HS
Connection status result was reported during failed 4-way handshake if
that failure might have been due to an incorrect phassphrase/password.
4-eay handshake might fail for other reasons and if that is the case,
the connection status result is delayed unnecessarily long untile the 15
second timeout occurs.
Optimize this by sending out the connection status result in all
disconnection cases that happen before the 4-way handshake has been
completed successfully.
Chenming Huang [Thu, 14 Nov 2024 06:28:59 +0000 (11:58 +0530)]
AP MLD: Allow new link to be added through control interface
AP MLD link is added with the same interface name but current control
interface command "ADD" does not consider tjat AP MLD case yet.
Modify the logic here to support adding a new AP MLD link from the "ADD"
command, too, by adding a new hostapd_iface structure instead of just a
new BSS into the existing structure.
Make sure wpa_sm has correct PMK when PMKSA cache used by driver
The PMK corresponding to the PMKSA cache entry used by the driver is
updated to wpa_sm only when the authorized flag set in the association
event data. In cases where the authorized flag is not set, i.e., initial
association or roam indication with 4-way handshake not completed by the
driver, the PMK is not updated and may be left at the default value
based on not yet known AKM and group. That would result in issues for
SAE-EXT-KEY cases where groups 20 or 21 are used since the Key MIC
length of the EAPOL-Key frames depends on the used PMK length. In
particular, wpa_sm needs to know the correct PMK length to determine the
Key MIC field length and the offset of the Key Data Length field
correctly in the EAPOL-Key msg 1/4. Otherwise, wpa_sm may fail to parse
the EAPOL-Key msg 1/4.
Fix this by always setting the PMK from the PMKSA entry corresponding to
the PMKID used by the driver in the (Re)Association Request frame to
wpa_sm.
Chenming Huang [Thu, 13 Feb 2025 03:38:39 +0000 (09:08 +0530)]
AP MLD: Cancel ap_sta_assoc_timeout for partner links
An earlier commit implements a timeout handler to remove unassociated
sta entries. For AP MLD, when a non-AP MLD is associated, the timeout
handler needs to be removed in its partner links, too. The check for
WLAN_STA_ASSOC is supposed to skip such cases in ap_sta_assoc_timeout(),
but it is better to cancel this timeout altogether from all links.
Fixes: 07ee3e8b0eb4 ("Remove STA entries if association is not completed in 60 seconds") Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Define a QCA vendor subcmd to set periodic probe response config
Define a QCA vendor subcmd to send periodic or on-demand
directed Probe Response frames to a connected peer.
This config command will include attributes as per enum
qca_wlan_vendor_attr_periodic_probe_rsp_cfg.
Attribute list includes:
QCA_WLAN_VENDOR_ATTR_PROBE_RESP_CFG_PEER_MAC_ADDR
QCA_WLAN_VENDOR_ATTR_PROBE_RESP_CFG_PERIOD
QCA_WLAN_VENDOR_ATTR_PROBE_RESP_CFG_COUNT
Meng Yuan [Wed, 8 Jan 2025 08:10:10 +0000 (16:10 +0800)]
P2P: Check IEs buffer before use more consistently
Commit cab963e9f887 ("AP: Split check_assoc_ies()") added check for
ies/ies_len before going through the P2P element. Add similar checks for
p2p_group_notif_assoc() to be consistent and avoid potential risk of
associated STA tracking for P2P groups dereferencing NULL pointers.
Jouni Malinen [Tue, 11 Feb 2025 20:48:07 +0000 (22:48 +0200)]
Simplify supported rates and BSS membership selectors generation
Use a common helper function to generate the complete list of supported
rates and BSS membership selectors so that building the Supported Rates
and BSS Membership Selectors and the Extended Supported Rates and BSS
Membersip Selectors elements can be generated without having to
duplicate the logic for determining the actual values for the
rates/selectors. The functions for building these elements are now
simply selecting the subset of the values from the output from the
helper function.
MBSSID: Correctly compute the Extended Supported Rates element length
A hardcoded value of 8 bytes was used as the length for the Extended
Supported Rates element. This approach can cause issues if any changes
are made to the function without updating the length accordingly.
Determine the length properly instead of hardcoding and incorporate it
into the Multiple BSSID element length calculation.
And since this will now happen while calculating length, there is no
need to call hostapd_eid_ext_supp_rates() in
ieee802_11_build_ap_params_mbssid().
MBSSID: Fix Non-Inheritance element length calculation
Commit 4bfc007b61e6 ("MBSSID: Fix Non-Inheritance element encoding")
added one octet while filling the data. However, this one octet is
missing during length calculation. Add it now.
Jouni Malinen [Tue, 11 Feb 2025 10:02:34 +0000 (12:02 +0200)]
GAS: Fix eloop timeout clearing on random MAC address error path
There is one error case (for failing to update random MAC address) that
uses gas_query_free() for a query that has started and as such, might
have registered eloop timeouts. However, eloop timeouts were canceled in
gas_query_done() and as such, that was skipped for this error case. That
could result in leaving behind timeouts pointing to freed memory.
Fix this by moving eloop_cancel_timeout() calls to gas_query_free() so
that they are covered for all cases.
Fixes: c267753ba2cc ("Add support for using random local MAC address") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Sun, 9 Feb 2025 16:20:31 +0000 (18:20 +0200)]
EAP-pwd: Make code easier for static analyzers
resultbytelen cannot be 0 when resultbitlen != 0 and as such,
result[resultbytelen - 1] here cannot point to invalid index. However,
this is apparently too complex for static analyzers, so make this more
obvious to avoid false positives.
Jouni Malinen [Sun, 9 Feb 2025 16:17:39 +0000 (18:17 +0200)]
JSON: More explicit check for depth in arrays/objects
Invalid state here was detected based on the parent token being in
JSON_STARTED state, but to be clearer for static analyzers, also check
explicitly that depth is not 0.
Jouni Malinen [Sun, 9 Feb 2025 16:12:40 +0000 (18:12 +0200)]
SHA-PRF: Make code easier for static analyzers
pos cannot be 0 when buf_len_bits != 0 and as such, buf[pos - 1] here
cannot point to invalid index. However, this is apparently too complex
for static analyzers, so make this more obvious to avoid false
positives.
projects / thirdparty / hostap.git / log
